Study of RPL DODAG Version Attacks - aims … · Motivations 7/1/2014 A Study of RPL DODAG Version...
Transcript of Study of RPL DODAG Version Attacks - aims … · Motivations 7/1/2014 A Study of RPL DODAG Version...
Study of RPL DODAG Version Attacks
Anthéa Mayzaud
7/1/2014 1
Anuj Sehgal
Jürgen Schönwälder Isabelle Chrisment Rémi Badonnel
IFIP AIMS 2014 – Brno, Czech Republik
A Study of RPL DODAG Version Attacks
Motivations
7/1/2014 A Study of RPL DODAG Version Attacks 2
• Currently, no study of the consequences of these attacks targeting Internet-of-Things (IoT) networks
• Existing security strategies based on cryptographic operations
‒ VeRa, Version Number and Rank Authentication in RPL [1] ‒ TRAIL, Topology Authentication in RPL [2]
• Supporting the creation of a baseline to better develop mitigation strategies
• Observing attack-related patterns in order to improve counter-measures
What is the impact of such an attack in an IoT network and does it make sense to mitigate it ?
Outline
• Background – Internet of Things – RPL Protocol
• Analysis of Version Number Attacks – Attack Description – Experimental Setup – Analysis Metrics
• Impact Evaluation Results – Control Packet Overhead – Delivery Ratio – End-to-end Delay – Number of Loops and Inconsistencies
• Conclusions
7/1/2014 3 A Study of RPL DODAG Version Attacks
Outline
7/1/2014 4 A Study of RPL DODAG Version Attacks
• Background – Internet of Things – RPL Protocol
• Analysis of Version Number Attacks – Attack Description – Experimental Setup – Analysis Metrics
• Impact Evaluation Results – Control Packet Overhead – Delivery Ratio – End-to-end Delay – Number of Loops and Inconsistencies
• Conclusions
Internet of Things
7/1/2014 A Study of RPL DODAG Version Attacks 5
• Large-scale deployment of connected objects ‒ Sensors (wired or wireless)
‒ RFID chips
‒ Actuators…
• Interactions and cooperations among objects
• Various application domains
‒ Logistics, transport
‒ Smart environments
‒ E-health…
Illustration solarfeeds.com
Background
LLN Networks and RPL
7/1/2014 A Study of RPL DODAG Version Attacks 6
802.15.4 PHY
802.15.4 MAC
6LoWPAN
IPv6 RPL
TCP/UDP
• Nodes with strong constraints
‒ Energy
‒ Memory
‒ Processing
• Lossy links
• Low throughputs
• Existing routing protocols are not appropriate
• Design of a dedicated stack
RPL : Routing Protocol for LLNs
LLN : Low power and Lossy Network
Background
The Routing Protocol for LLNs (RPL)
7/1/2014 A Study of RPL DODAG Version Attacks 7
• Protocol description
‒ RFC 6550 (March 2012) [3] ‒ IPv6-based distance vector protocol ‒ Building of specific graphs called DODAG
(Destination Oriented Directed Acyclic Graph) ‒ 3 ICMPv6 control messages (DIS, DIO, DAO)
• Traffic patterns
‒ Multipoint-to-point (MP2P) ‒ Point-to-multipoint (P2MP) ‒ Point-to-point (P2P)
• RPL instance
‒ Set of DODAGs ‒ Optimized for a given routing objective based
on metrics/constraints
1
9 8
5 4
3 2
Background
RPL DODAG Principle
7/1/2014 A Study of RPL DODAG Version Attacks 8
Root: destination node which manages the DODAG graph
Upward routes: built with DIO messages to reach the root
Trickle timer: used to define sending frequency of control messages
Downward routes: built with DAO messages to reach a node
Node rank value: used to indicate node’s position with respect to the root ; always increasing in the downward direction
Metrics: used to characterize links and select the preferred parent
1
9 8
5 4
3 2
Root Downward direction
Upward direction
Background
RPL DODAG Principle
7/1/2014 A Study of RPL DODAG Version Attacks 9
1
9 8
5 4
3 2
DIO DIO
Upward direction
Downward direction
Root: destination node which manages the DODAG graph
Upward routes: built with DIO messages to reach the root
Trickle timer: used to define sending frequency of control messages
Downward routes: built with DAO messages to reach a node
Node rank value: used to indicate node’s position with respect to the root ; always increasing in the downward direction
Metrics: used to characterize links and select the preferred parent
Background
7/1/2014 A Study of RPL DODAG Version Attacks 10
1
9 8
5 4
3 2
DAO DAO
DAO DAO
Upward direction
Downward direction
Root: destination node which manages the DODAG graph
Upward routes: built with DIO messages to reach the root
Trickle timer: used to define sending frequency of control messages
Downward routes: built with DAO messages to reach a node
Node rank value: used to indicate node’s position with respect to the root ; always increasing in the downward direction
Metrics: used to characterize links and select the preferred parent
Background RPL DODAG Principle
7/1/2014 A Study of RPL DODAG Version Attacks 11
Rank = 4
Rank = 3
Rank = 2
1
9 8
5 4
3 2
Root
Root: destination node which manages the DODAG graph
Upward routes: built with DIO messages to reach the root
Trickle timer: used to define sending frequency of control messages
Downward routes: built with DAO messages to reach a node
Node rank value: used to indicate node’s position with respect to the root ; always increasing in the downward direction
Metrics: used to characterize links and select the preferred parent
Background RPL DODAG Principle
7/1/2014 A Study of RPL DODAG Version Attacks 12
Rank = 4
Rank = 3
Rank = 2
1
9 8
5 4
3 2
Root
Root: destination node which manages the DODAG graph
Upward routes: built with DIO messages to reach the root
Trickle timer: used to define sending frequency of control messages
Downward routes: built with DAO messages to reach a node
Node rank value: used to indicate node’s position with respect to the root ; always increasing in the downward direction
Metrics: used to characterize links and select the preferred parent
Background RPL DODAG Principle
Other RPL Mechanisms
7/1/2014 A Study of RPL DODAG Version Attacks 13
Datapath Validation [4]
• Data control mechanism used to detect loops • Flags in the Hop-by-Hop option header • ‘O’ flag used to track packet direction • ‘R’ flag used to track rank error (mismatch between ‘O’ flag
and current direction of a packet)
Version Number
• Version of a DODAG graph • DIO field supposed to remain
unchanged by the other nodes • Only incremented by the root • Used to rebuild the DODAG
(global repair)
10
7
6
4
1
2
5
8
3
9
Available link
Link in Version N
Link in Version N+1
Background
Outline
7/1/2014 14 A Study of RPL DODAG Version Attacks
• Background – Internet of Things – RPL Protocol
• Analysis of Version Number Attacks – Attack Description – Experimental Setup – Analysis Metrics
• Impact Evaluation Results – Control Packet Overhead – Delivery Ratio – End-to-end Delay – Number of Loops and Inconsistencies
• Conclusions
Attack Description
7/1/2014 15 A Study of RPL DODAG Version Attacks
• Increment of the version number by an attacker
• Propagation of the malicious version number
• Direct consequences ‒ Unnecessary rebuilding ‒ Control message
overhead ‒ Loops generation
• Indirect consequences ‒ Impact on energy
reserves ‒ Data packets loss ‒ Channel availability
10
9
12
7
6
17 13
20 4
1
3
2
5
8
Available link
Analysis of Version Number Attacks
15
18 14
16
19 11 11
Experimental Setup
7/1/2014 A Study of RPL DODAG Version Attacks 16
• Grid topology of 20 nodes
‒ Node 1 is the DODAG root ‒ Relocation of the attacker
to multiple positions
• Simulations based on Cooja (Contiki 2.6)
‒ 1 simulation without attacker as a baseline
‒ Duration of 50 min. ‒ 5 times each scenario ‒ Attacks start after 5 min.
11
10
9
12
7
6 18
17
16
14
13
19
20 4
1
3
2
5
8
15
Available link
Attack Message
Analysis of Version Number Attacks
Analysis Metrics
7/1/2014 A Study of RPL DODAG Version Attacks 17
• Control packet overhead Total number of RPL control packets (DIS, DIO, DAO) transmitted and received
• Delivery ratio Number of data packets successfully delivered to the sink compared to the number of data packets generated by all nodes
• Average end-to-end delay Average time spent for all packets from all nodes to be successfully delivered
• Number of inconsistencies Number of packets when a mismatch between the ‘O’ flag and the actual direction is detected
• Number of loops Number of packets when an inconsistency is detected with the ‘R’ flag
Analysis of Version Number Attacks
Outline
7/1/2014 18 A Study of RPL DODAG Version Attacks
• Background – Internet of Things – RPL Protocol
• Analysis of Version Number Attacks – Attack description – Experimental Setup – Analysis Metrics
• Impact Evaluation Results – Control Packet Overhead – Delivery Ratio – End-to-end Delay – Number of Loops and Inconsistencies
• Conclusions
Control Packet Overhead
7/1/2014 A Study of RPL DODAG Version Attacks 19
• Overhead for every node • 1250 control pkts without
attacker • Up to 18 times in the
worst case • Per column: maximum for
the nodes in the bottom row (4, 8, 12, 16, 20)
• Similar results for positions 2 and 5 which are minimums
Not only the number of neighbors, but also the distance from the root impacts the overhead.
Impact Evaluation Results
11
10
9
12
7
6 18
17
16
14
13
19
20 4
1
3
2
5
8
15
Per Node Outgoing Packet Overhead
7/1/2014 A Study of RPL DODAG Version Attacks 20
Overhead not only localized at the neighborhood of the attacker
Not only the attacker neighborhood is impacted, but also the entire network.
Impact Evaluation Results
11
10
9
12
7
6 18
17
16
14
13
19
20 4
1
3
2
5
8
15
Delivery Ratio
7/1/2014 A Study of RPL DODAG Version Attacks 21
• Reduced by up to 30% • Similar pattern than packets
overhead • Strong correlation between path
length and effects on the DR
The farther the attacker from the root, the worse the delivery ratio.
Impact Evaluation Results
Average end-to-end delay
7/1/2014 A Study of RPL DODAG Version Attacks 22
• Almost doubled • High variation in the results
Impact Evaluation Results
No strong correlation between location of the attacker and the delay .
11
10
9
12
7
6 18
17
16
14
13
19
20 4
1
3
2
5
8
15
Loops and Inconsistencies
7/1/2014 A Study of RPL DODAG Version Attacks 23
• Same pattern • Greater distance from
root, lesser inconsistencies • Proximity to the root and
most number of neighbors, highest number of loops
Larger number of neighbors and attacker proximity to root lead to higher number of loops and inconsistencies.
Impact Evaluation Results
Inconsistencies per Node
7/1/2014 A Study of RPL DODAG Version Attacks 24
Inconsistencies mostly located around the attacker
Impact Evaluaiton Results
Majority of inconsistencies is detected by parents of the attacker and also by its children.
11
10
9
12
7
6 18
17
16
14
13
19
20 4
1
3
2
5
8
15
Outline
7/1/2014 25 A Study of RPL DODAG Version Attacks
• Background – Internet of Things – RPL Protocol
• Analysis of Version Number Attacks – Attack Description – Experimental Setup – Analysis Metrics
• Impact Evaluation Results – Control Packet Overhead – Delivery Ratio – End-to-end Delay – Number of Loops and Inconsistencies
• Conclusions
Conclusions and Future Work
7/1/2014 A Study of RPL DODAG Version Attacks 26
• Perspectives ‒ Extension to more complex topologies ‒ Evaluation of existing solutions based on observed baseline ‒ Development of lightweight mitigation strategies based on
identified attack patterns
• Study of the impact of version number attacks within RPL networks ‒ Increase of control packets overhead by up to 18 times ‒ Decrease of delivery ratio by up to 30% ‒ End-to-end delay nearly doubled ‒ Strong correlation between the position of the attacker and the
observed effects ‒ RPL network lifetime can be drastically shorten
References
7/1/2014 A Study of RPL DODAG Version Attacks 27
[1] Dvir et al., VeRa – Version Number and Rank Authentication in RPL, in Proc. of the IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (MASS), 2011, Hangzou, China.
[2] Perrey, H. et al., TRAIL: Topology Authentication in RPL, in CoRR, 2011 .
[3] Winter, T. et al., RPL, IPv6 Routing Protocol for Low-Power and Lossy Networks. IETF RFC 6550 (March 2012).
[4] Hui, J. and Vasseur, J., The Routing Protocol for Low-Power and Lossy Networks (RPL) Option for Carrying RPL Information in Data-Plane Datagrams. IETF RFC 6553 (March 2012).
[5] Contiki project: http://www.contiki-os.org [6] Tsao, T. et al., A Security Threat Analysis for Routing Protocol for Low-power and Lossy Networks (RPL). IETF Internet Draft (December 2013).